July 13, 2012

Leaked Yahoo Passwords Compromise Other Services

When hackers broke into Yahoo´s servers this week, it´s likely they did more damage than they expected. Though the hacking collective known as D33Ds Company said they only committed the cyber-crime to act as a “wake-up call,” they also dumped the more than 453,000 accounts and passwords online. D33Ds may have had good intentions, but the rest of the internet might not be so kind. Additionally, as many use the same passwords for multiple services, many more accounts continue to be compromised.

Yahoo issued an apology yesterday, saying the leaked data came from an older file from the Yahoo Contributor network. Though Yahoo has yet to say if the issue is fixed, they have said they are working on it and that less than 5% of the emails leaked had valid passwords. Says the official statement:

What made this leak different from the eHarmony, Last.Fm and LinkedIn leaks from a several weeks ago was the kind of data leaked. The D33Ds collective was able to get plaintext versions of both the account name and password, a lethal combination against online privacy. As is often the case, many users were also using the same credentials across multiple sites. Therefore, as these Yahoo accounts were leaked, so too were accounts for AOL, Gmail, Hotmail and the others.

AOL, for example, said the leaked Yahoo passwords included valid passwords for nearly 1,700 AOL accounts. AT&T, Comcast and Verizon also said they had accounts which were compromised by the leak.

In accordance with an apparent evolving trend, several security specialists have created tools to help users determine if their credentials have been compromised. One of these companies, Sucuri, has also released some disturbing information about these leaked passwords. More specifically, the passwords used to protect these accounts have been found to be a little less than failsafe.

AOL Senior Vice President David Temkin told Reuters that while these kinds of compromised accounts can be used to send out email spam, his company stopped the situation before it became too troublesome.

“In this case, I think we actually got ahead of it before the people who stole those accounts were able to use them,” Temkin said.